NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Peter Sawczynec ps at pswebcode.com
Mon Sep 5 07:46:56 EDT 2005 

I knew I'd looked through the "php.ini-recommended" before and I did not
find it thorough, so for the purposes of this discussion I just reviewed it
again and I still find: 

open_basedir = "" [is not set],  
allow_url_fopen = On, 
expose_php = On, 
safe_mode = off,
track_errors = Off,

All these settings should be reversed for the default. Open_basedir must be
set.
Like I said, out of the box with all restrictions and let admins turn on
features only as needed.

Apache also has several little canoodles in the conf, e.g.: ServerSignature
On.  Specifying Listen should probably be mandatory.

Peter





-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Hans Zaunere
Sent: Sunday, September 04, 2005 7:05 PM
To: 'NYPHP Talk'
Subject: Re: [nycphp-talk] PHP Form Validation




Billy Pilgrim wrote on Saturday, September 03, 2005 4:28 PM:
> On 9/3/05, Peter Sawczynec <ps at pswebcode.com> wrote:
> > "For advanced: The fully-locked down php.ini, a freshened standard 
> > in scripting language security",
> 
> http://us3.php.net/manual/en/install.unix.php
> 
> 13. Setup your php.ini file:
> 
>       cp php.ini-dist /usr/local/lib/php.ini
> 
>     You may edit your .ini file to set PHP options.  If you prefer your
>     php.ini in another location, use --with-config-file-path=/some/path in
>     step 10.
> 
>     If you instead choose php.ini-recommended, be certain to read the list
>     of changes within, as they affect how PHP behaves.

php.ini-recommended does change behavior, but it's the correct behavior.
Code should be written to work under the settings contained within
php.ini-recommended.  In fact, the first thing I do on all PHP installs is
to cp php.ini-recommended to php.ini in the proper directory.

Using php.ini-recommended provides for better security, performance, and
eliminates many of the idiosyncrasies that PHP has seen over the years.

H

_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org

More information about the talk mailing list